File Extraction from Memory Dump for Malicious Content Analysis

1. A computer-implemented method for detecting malicious content, the method comprising: monitoring, by a monitoring module executed by a processor, behavior of a malicious content suspect executed within a sandboxed operating environment, the sandboxed operating environment comprises a virtual machine that operates in accordance with an operating environment targeted by the malicious content suspect; in response to detection of one or more predetermined events from the monitored behavior that are triggered by the malicious content suspect, generating, by a memory dump module, a memory dump associated with the malicious content suspect; storing, within a storage device, a portion of data associated with the virtual machine, which includes one or more of (i) contents of the memory dump and (ii) the one or more predetermined events, in a directory accessible to a controller that is part of a virtual machine monitor (VMM); retrieving at least the contents of the memory dump via the directory; and analyzing, by an analysis module, at least the contents of the memory dump to determine whether the malicious content suspect should be declared as malicious based on a set of one or more rules.

2. The method of claim 1 , wherein the memory dump comprises information concerning data accessed by the malicious content suspect, an executable image of the malicious content suspect, and information concerning activities performed by the malicious content suspect during the execution of the malicious content suspect.

3. The method of claim 2 , wherein the memory dump further comprises information concerning content embedded within the malicious content suspect that is revealed only through the execution of the malicious content suspect.

4. The method of claim 1 , further comprising in response to detection of an event of the one or more predetermined events triggered by the malicious content suspect, transmitting by the monitoring module a message identifying the detected event to the analysis module, wherein the analysis module performs the analysis of the memory dump in view of the message received from the monitoring module.

5. The method of claim 1 , further comprising: transmitting the contents of the memory dump to a remote facility over a network to be analyzed by the remote facility.

6. The method of claim 1 , wherein the monitoring module is running within the virtual machine that is hosted by a guest operating system (OS), and wherein the analysis module is running within a host OS that manages the guest OS.

7. The method of claim 1 , further comprising retrieving via the directory one or more files that have been accessed by the malicious content suspect during the execution of the malicious content suspect.

8. The method of claim 1 , wherein the generating of the memory dump comprises invoking a memory dump utility that is associated with an operating system hosting the sandboxed operating environment to capture information associated with the malicious content suspect from a memory.

9. A non-transitory machine-readable medium storing instructions, which when executed by a processor, cause the processor to perform a method of malicious content detection, the method comprising: monitoring, by a monitoring module, behavior of a malicious content suspect executed within a sandboxed operating environment, the sandboxed operating environment comprises a virtual machine that operates in accordance with an operating environment targeted by the malicious content suspect; in response to detection of one or more predetermined events from the monitored behavior that are triggered by the malicious content suspect, generating, by a memory dump module, a memory dump associated with the malicious content suspect; storing, within a storage device, a portion of data associated with the virtual machine, which includes one ore more (i) contents of the memory dump and (ii) the one or more predetermined events, in a directory accessible to a controller that is part of a virtual machine monitor (VMM); retrieving at least contents of the memory dump via the directory; and analyzing, by an analysis module, at least the contents of the memory dump to determine whether the malicious content suspect should be declared as malicious based on a set of one or more rules.

10. The medium of claim 9 , wherein the memory dump comprises information concerning data accessed by the malicious content suspect, an executable image of the malicious content suspect, and information concerning activities performed by the malicious content suspect during the execution of the malicious content suspect.

11. The medium of claim 10 , wherein the memory dump further comprises information concerning content embedded within the malicious content suspect that is revealed only through the execution of the malicious content suspect.

12. The medium of claim 9 , wherein the method further comprises in response to detection of an event of the one or more predetermined events triggered by the behavior of the malicious content suspect, transmitting by the monitoring module a message identifying the detected event to the analysis module, wherein the analysis module performs the analysis of the memory dump in view of the message received from the monitoring module.

13. The medium of claim 9 , wherein the method further comprises: transmitting contents of the memory dump to a remote facility over a network to be analyzed by the remote facility.

14. The medium of claim 9 , wherein the monitoring module is running within the VM that is hosted by a guest operating system (OS), and wherein the analysis module is running within a host OS that manages the guest OS.

15. The medium of claim 9 , wherein the method further comprises retrieving via the directory one or more files that have been accessed by the malicious content suspect during the execution of the malicious content suspect.

16. The medium of claim 9 , wherein generating a memory dump comprises invoking a memory dump utility that is associated with an operating system hosting the sandboxed operating environment to capture information associated with the malicious content suspect from a memory.

17. A malicious content detection system, comprising: a display device; a display controller communicatively coupled to the display device, the display controller to control the display device; a processor communicatively coupled to the display controller, the processor is configured to process: a monitoring module that includes logic to monitor behavior of a malicious content suspect executed within a sandboxed operating environment, the sandboxed operating environment comprises a virtual machine that operates in accordance with an operating environment targeted by the malicious content suspect, a memory dump module communicatively coupled to the monitoring module, the memory dump includes logic that, in response to detection of one or more predetermined events from the monitored behavior that are triggered by the malicious content suspect, generates a memory dump associated with the malicious content suspect, a file extractor that includes logic that stores, within a storage device, a portion of data associated with the virtual machine, which includes one or more of (i) contents of the memory dump and (ii) one or more predetermined events, in a directory accessible to a controller that is part of a virtual machine monitor (VMM), and an analysis module communicatively coupled to the monitoring module and the memory dump module, the analysis module configured to analyze at least the contents of the memory dump to determine whether the malicious content suspect should be declared as malicious based on a set of one or more rules.

18. The system of claim 17 , wherein the memory dump comprises information concerning data accessed by the malicious content suspect, an executable image of the malicious content suspect, and information concerning activities performed by the malicious content suspect during the execution of the malicious content suspect.

19. The system of claim 18 , wherein the memory dump further comprises information concerning content embedded within the malicious content suspect that is revealed only through the execution of the malicious content suspect.

20. The system of claim 17 , wherein the memory dump is generated by invoking a memory dump utility that is associated with an operating system hosting the sandboxed operating environment to capture information associated with the malicious content suspect from the memory.

21. A system, comprising: a hardware processor; and a memory communicatively coupled to the hardware processor, the memory comprises one or more virtual machines and a controller that is part of a virtual machine monitor (VMM) and is in communications with the one or more virtual machines, wherein at least a first virtual machine of the one or more virtual machines comprises a monitoring module that includes logic to monitor behavior of a malicious content suspect executed within the first virtual machine that operates in accordance with an operating environment targeted by the malicious content suspect, and a memory dump module communicatively coupled to the monitoring module, the memory dump includes logic that, in response to detection of one or more predetermined events associated with the monitored behavior of the malicious content suspect, generates a memory dump of information associated with the malicious content suspect, wherein the controller of the VMM comprises a file extractor that includes logic that stores, within a storage device, a portion of data associated with the virtual machine including one or more of (i) contents of the memory dump and (ii) the one or more predetermined events in a directory accessible to the controller, and an analysis module communicatively coupled to the monitoring module and the memory dump module that analyzes the contents of the memory dump to determine whether the malicious content suspect should be declared as malicious based on a set of one or more rules.